« Previous Next »

• 03-13-2008, 12:22 PM

  Lowendahl Joined on 04-04-2005, 2:17 PM Stockholm, Sweden Posts 2

  IIS 7 client certificate account mapping Reply Contact Hi, I'm having a bit of trouble with mapping client certificates to user accounts on my windows server 2008. The client cert is in trusted people and is accepted by IIS if I don't turn onetoone mapping on. But as soon as I try to map, I start getting 401.1 errors. this is my config: <iisClientCertificateMappingAuthentication enabled="true" defaultLogonDomain="STHSAPPS" oneToOneCertificateMappingsEnabled="true"> <oneToOneMappings> <add userName="user1" password="password1" enabled="true" certificate="-----BEGIN CERTIFICATE----- long base 64 -----END CERTIFICATE-----" /> <add userName="user2" password="password2" enabled="true" certificate="-----BEGIN CERTIFICATE-----long base 64 -----END CERTIFICATE-----" /> </oneToOneMappings> </iisClientCertificateMappingAuthentication> The base 64 is taken from the .cer file (exported). This is what I get in the trace:  72. +AUTH_REQUEST_AUTH_TYPE  RequestAuthType 128 RequestAuthType CertMap     Warning 73. -MODULE_SET_RESPONSE_ERROR_STATUS  ModuleName IISCertificateMappingAuthenticationModule Notification 2 HttpStatus 401 HttpReason Unauthorized HttpSubStatus 1 ErrorCode 2148086018 ConfigExceptionInfo Notification AUTHENTICATE_REQUEST ErrorCode ASN1 unexpected end of data. (0x80093102)   BTW, what's up with not providing visual aid for this mapping as in IIS &? Patrik Löwendahl [C# MVP] Cornerstone - Stocholm, Sweden blog @ http://www.lowendahl.net

• 03-14-2008, 5:19 PM

  In reply to

  Bret Bentzinger Joined on 05-23-2006, 5:53 PM Posts 50	Re: IIS 7 client certificate account mapping Reply Contact Have you seen this?  http://blogs.iis.net/ulad/archive/2007/01/19/vbscript-to-configure-one-to-one-client-certificate-mapping-on-iis7.aspx   And I agree, we need a UI. -bretb IIS Critical Problem Resolution Microsoft Corp.

• 03-15-2008, 3:16 PM

  In reply to

  Lowendahl Joined on 04-04-2005, 2:17 PM Stockholm, Sweden Posts 2	Re: IIS 7 client certificate account mapping Reply Contact Yes, and my web.config looks exactly like the result produced by the vb.script (although manually crafted) so I'm missing something else. Do I need to configure my accounts in any particular way? Patrik Löwendahl [C# MVP] Cornerstone - Stocholm, Sweden blog @ http://www.lowendahl.net

• 03-17-2008, 1:04 PM

  In reply to

  Bret Bentzinger Joined on 05-23-2006, 5:53 PM Posts 50	Re: IIS 7 client certificate account mapping Reply Contact Did you try the script? -bretb IIS Critical Problem Resolution Microsoft Corp.

• 04-26-2009, 7:51 PM

  In reply to

  JaroDunajsky Joined on 04-19-2005, 10:23 PM Redmond Posts 168

  Re: IIS 7 client certificate account mapping Reply Contact The BEGIN CERTIFICATE and END CERTIFICATE should not be part of the certificate field. Just the Base64 encoded certificate blob is to be there.   Please check out our configuration reference on www.iis.net. http://www.iis.net/ConfigReference/system.webServer/security/authentication/iisClientCertificateMappingAuthentication    Jaroslav Dunajsky (MSFT, IIS)